Are CADA fines based on company turnover?

Summary As proposed, the Cloud and AI Development Act (CADA) does not impose fines as a fixed percentage of global turnover, unlike the GDPR or the AI Act. Instead, Article 24(2)(f) of the CADA proposal mandates that Member States consider the infringing party's "annual turnover in the preceding financial year in the Union" as one criterion among several when determining penalties. This approach shifts the focus from a rigid statutory cap to a contextual assessment where turnover is a factor in ensuring the penalty is "effective, proportionate and dissuasive," rather than a mathematical multiplier.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a unique enforcement regime for cloud sovereignty infringements. While major EU digital regulations like the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AI Act) rely on percentage-based caps tied to worldwide turnover, CADA adopts a more flexible, criteria-based model. This distinction is critical for cloud service providers operating across the EU single market.

Article 24: The Framework for Penalties

The primary legal basis for penalties under CADA is Article 24, located in Title IV (Autonomy), Chapter I (Cloud computing sovereignty framework). This article explicitly delegates the specific quantification of fines to Member States, requiring them to "lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers."

The core requirement is that these penalties must be "effective, proportionate and dissuasive." However, unlike the GDPR's Article 83 or the AI Act's Article 99, CADA does not define a maximum ceiling (e.g., "€20 million or 4% of turnover"). Instead, Article 24(2) provides a non-exhaustive list of criteria that Member States shall take into account when imposing penalties.

The specific criteria listed in Article 24(2) include:

• (a) The nature, gravity, scale and duration of the infringement;
• (b) Any action taken by the infringing party to mitigate or remedy the damage caused by the infringement;
• (c) Any previous infringements by the infringing party;
• (d) The financial benefits gained or losses avoided by the infringing party due to the infringement, insofar as such benefits or losses can be reliably established;
• (e) Any other aggravating or mitigating factor applicable to the circumstances of the case;
• (f) The infringing party's annual turnover in the preceding financial year in the Union.

Article 24(2)(f) is the specific provision addressing turnover. It explicitly limits the scope to turnover "in the Union" for the "preceding financial year." This is a deliberate departure from the "total worldwide annual turnover" language found in the GDPR and AI Act. By focusing on Union turnover, the proposal aims to ensure that penalties are relevant to the market where the infringement occurred and where the sovereignty framework applies, without automatically triggering global-scale fines for minor breaches.

Because this criterion is listed alongside others (such as the nature of the infringement or mitigation efforts), it functions as a weighting factor rather than a formula. A provider with high Union turnover but a minor, quickly remediated technical error might face a lower penalty than a provider with lower turnover but a severe, prolonged breach of public order.

Contrast with GDPR and AI Act

To fully grasp the implications of CADA's approach, it is essential to contrast it with the established penalty regimes of the GDPR and the AI Act.

1. The GDPR Model (Fixed Percentage Caps) Under Article 83 of the GDPR, fines are calculated based on the higher of a fixed amount or a percentage of the undertaking's total worldwide annual turnover. For the most serious infringements, this cap is €20 million or 4% of total worldwide turnover. This creates a predictable, high-stakes ceiling that applies globally, regardless of where the data processing occurred.

2. The AI Act Model (Higher Percentage Caps) The AI Act, specifically Article 99, adopts a similar but more severe structure for prohibited practices. It sets maximum fines at up to €35 million or 7% of the undertaking's total worldwide annual turnover. This reflects the high-risk nature of prohibited AI practices.

3. The CADA Model (Contextual Criteria) CADA does not replicate these "whichever is higher" global turnover models.

• No Fixed Cap: CADA does not set a maximum fine amount or a percentage cap in the text of the Regulation itself.
• Union Turnover Only: Article 24(2)(f) specifically references turnover "in the Union," not worldwide turnover. This limits the financial baseline for the penalty calculation to the EU market.
• Discretionary Weighting: Turnover is one criterion among several. It is not the sole determinant. The final penalty is determined by the national competent authority based on the totality of the circumstances, including the gravity of the breach and the provider's response.

This structural difference reflects CADA's policy objective: to foster a competitive European cloud market. By avoiding rigid global caps, the proposal aims to prevent disproportionately penalizing smaller, emerging EU providers while still ensuring that large incumbents face significant consequences for sovereignty breaches. It allows national authorities to tailor penalties to the specific economic reality of the provider within the EU.

Compensation Rights: Beyond Administrative Fines

In addition to the administrative penalties described above, Article 24(3) introduces a distinct civil liability mechanism. It states that "recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This means that beyond regulatory fines imposed by the state, cloud providers face a dual financial risk:

1. Administrative Penalties: Imposed by national competent authorities based on the criteria in Article 24(2).
2. Civil Compensation: Direct claims from public sector bodies or other service recipients for damages caused by sovereignty breaches (e.g., data exfiltration, service disruption due to third-country interference).

This civil liability is separate from the fine calculation and is not capped by the turnover criteria in Article 24(2)(f).

What this means for you

For in-house counsel, compliance officers, and risk managers, the absence of a fixed percentage cap in CADA creates a different risk profile compared to GDPR or AI Act compliance. Penalties are less predictable and highly dependent on national implementation and the specific facts of the breach.

1. Monitor National Transposition and Guidance Although CADA is a Regulation and directly applicable, Article 24(1) requires Member States to "lay down the rules on penalties." This means each Member State will define the specific procedural rules and potentially the weighting of the criteria in Article 24(2). You must track how each Member State where you operate interprets "effective, proportionate and dissuasive." Some states may adopt strict guidelines that effectively create de facto caps, while others may grant authorities wide discretion to set fines based on the specific gravity of the breach.

2. Prioritize Mitigation and Remediation Because Article 24(2)(b) explicitly lists "any action taken by the infringing party to mitigate or remedy the damage" as a mandatory criterion, your incident response protocols are critical. If a sovereignty audit reveals a breach (e.g., data leakage outside the Union or unauthorized third-country access), immediate remediation, transparent reporting to the competent authority, and evidence of corrective action can significantly reduce the final penalty. The law explicitly rewards proactive damage control.

3. Scrutinize EU-Specific Financial Reporting Ensure your financial reporting clearly distinguishes Union turnover from global turnover. Since Article 24(2)(f) specifies "annual turnover in the preceding financial year in the Union," auditors and regulators will look specifically at your EU-specific revenue streams. Inaccuracies in reporting this figure could lead to disputes over the baseline for penalty calculations. Note that this is distinct from the "worldwide turnover" figures used for GDPR or AI Act fines.

4. Review Contractual Risk Allocation Given the compensation rights in Article 24(3), review your contracts with public sector clients and other service recipients. Ensure that liability clauses address potential damages arising from sovereignty breaches. Consider whether your current insurance products cover this specific regulatory risk, as civil claims for damages are not capped by the administrative penalty criteria.

5. Prepare for Multi-Factor Assessments Do not assume that a high Union turnover automatically guarantees a high fine. The penalty will be a result of a multi-factor assessment. A provider with high turnover but a minor, quickly fixed error may face a lower penalty than a smaller provider with a severe, prolonged breach of public order. Conversely, a high turnover combined with a severe breach and lack of mitigation will likely result in a significant penalty.

Common misconceptions

Misconception 1: "CADA fines are capped at 4% of global turnover like the GDPR." Fact: CADA does not set a percentage cap. It lists Union turnover as one criterion among several in Article 24(2)(f). The final fine is determined by the national competent authority based on the totality of the circumstances, not a mathematical formula.

Misconception 2: "Only the largest hyperscalers need to worry about fines because turnover is a factor." Fact: While turnover is a factor, the "nature, gravity, scale and duration" (Article 24(2)(a)) are equally critical. A small provider that negligently exposes sensitive public sector data to unauthorized third-country access could face severe penalties relative to its size, especially if it causes significant operational disruption or undermines public order.

Misconception 3: "Fines are the only financial risk under CADA." Fact: Article 24(3) allows service recipients to seek compensation for damages. For cloud providers, this means potential civil litigation from clients in addition to regulatory fines from the state. This civil liability is separate from the administrative penalty calculation.

Misconception 4: "CADA uses worldwide turnover like the AI Act." Fact: No. Article 24(2)(f) explicitly limits the turnover reference to "in the Union." This is a significant narrowing of the financial baseline compared to the "total worldwide annual turnover" used in the AI Act (Article 99) and GDPR (Article 83).

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA Penalties vs GDPR: How Fines Are Calculated and Capped
• Can CADA authorities impose fines on cloud providers?
• Can a CADA authority impose both fines and remedies at once?
• Who sets the penalty rules under CADA? Article 24 explained
• Who pays compensation if a cloud provider breaches CADA?

This is general information about a draft EU regulation, not legal advice.